BTC Stolen from Poloniex

[DeathAndTaxes]

I agree - a  situation that allowed multiple threads to submit multiple deposit requests at the same time, and the withdrawal daemon not doublechecking balances before sending the funds is a born of inexperience. I guess my defense comes against all the other accusations - like not paying a "real" programmer, or the call that it's a bad exchange because of a singular, well handled issue.

Your missing the point.  There shouldn't be any double checking.  That is an idiotic (and very flawed) "solution".   This wasn't a bug in the code it was a fundamental misunderstanding of transaction processing.  This is databases 101.  The operations updating the balances should be database transactions.   It would be IMPOSSIBLE for a double payment to occur if the updates were done ATOMICALLY.  http://en.wikipedia.org/wiki/Atomicity_(database_systems)

It is a basic cornerstone of data integrity.  The language, application, or actual code used is irrelevant.  This is something taught at the freshman level in computer science curriculum.  That fact that this seems to come as news to your (or you think the solution is some flawed double checking system) is scary as you are also running an exchange.

[allcrypt]

I agree - a  situation that allowed multiple threads to submit multiple deposit requests at the same time, and the withdrawal daemon not doublechecking balances before sending the funds is a born of inexperience. I guess my defense comes against all the other accusations - like not paying a "real" programmer, or the call that it's a bad exchange because of a singular, well handled issue.

Your missing the point.  There shouldn't be any double checking.  That is an idiotic (and very flawed) "solution".   This wasn't a bug in the code it was a fundamental misunderstanding of transaction processing.  This is databases 101.  The operations updating the balances should be database transactions.   It would be IMPOSSIBLE for a double payment to occur if the updates were done ATOMICALLY.  http://en.wikipedia.org/wiki/Atomicity_(database_systems)

It is a basic cornerstone of data integrity.  The language, application, or actual code used is irrelevant.  This is something taught at the freshman level in computer science curriculum.  That fact that this seems to come as news to your (or you think the solution is some flawed double checking system) is scary as you are also running an exchange.

So, double checking, to be doubly, quadruply sure, is a flawed idea?

So, do it "right" and then assume that NOTHING ELSE COULD EVER POSSIBLY GO WRONG, and there's no need to double check, because you did it the right way, and it's utterly impossible that anything could be flawed?

Thats thinking is just AS wrong.

Edit: As a side note, all our database operations are transactional. THAT BEING SAID, we also doublecheck at EVERY point of possible failure to ensure that JUST IN CASE, nothing bad happens.

For you to dismiss my argument because they should have been doing what you argue is asinine. Doing single threaded database transactions is absolutely zero guarantee that something can't break.

You double check. Always.

[DeathAndTaxes]

Database operations involving financial data should be atomic.  If you have implicit atomic operation that are not atomic, you have a lot bigger problems and your dubious "double check" is unlikely to catch them either.  


Do you double check all your math operations as well I mean they might not be right as well?

x= x +5

vs
y = x
y = y +5
assert (y = x + 5)
x = y

my guess is you don't do such silly and worthless double checks because it would be pointless.  If the processor is setting x to anything other than five more than its existing value then well your "double check" is affected as well.  Writing checks to protect yourself from that kind of failure serves no purpose.  When your users login do you hash their password and if it matches then check again?  What if the deterministic computer made a mistake and the password was wrong but it returned true?  Maybe you should do it three times just to "super duper" make sure?

No you perform the operation once and you (should) check once and validate those operations using unit tests.  You use code coverage tools to ensure you are covering all scenarios. If you find bugs then you add unit and integration tests to cover those conditions as well.
Writing code that requires "double checks" is insecure code.  I guarantee your bank doesn't do such nonsense. Please cite a single reputable advising to "double check" atomic operations.

However all that is side tangent to the fact that the site was "hacked" (if you call someone asking for money more than once and getting it a "hack") because FINANCIAL TRANSACTIONS WERE NOT ATOMIC.  The issue wasn't that the double checks weren't "good enough" it was because the site didn't use atomic operations to begin with.  If the site had better "double checks" then it is possible they would have avoided that attack and just fallen for another one.  That is a fundamental flaw, it isn't a bug in the code it is a conceptual problem.   It would be like building a car with no brakes and saying if the person wants to stop they will just take their foot off the gas (as far in advance as necessary).   A car like that wouldn't be one which has some technical issues to work out, it would be fundamentally flawed.  Then you have someone like yourself come along and say it isn't a fundamental flaw, just a bug in development.  Obviously the answer is to make sure the dashboard has a warning light so the user can double check if they should stop accelerating before they end up in a situation where they can't stop in time.  Of course that scenario is just stupid as is a scenario where you use double checks instead of atomic operations to handle money.

You double check. Always.

Do you think your Bitcoin wallet performs double checks?  Create the tx, then create it again just to be sure it isn't different and if tx1 == tx2 then you are safe?  Why not?  Do you feel it is insecure that it instead relies on atomic operations instead of pointless double checks?

So, double checking, to be doubly, quadruply sure, is a flawed idea?

There is no such thing as "doubly sure".  You are either right or you are wrong.   A single deterministic check is as good as it gets.  If your check was deterministic then you don't need to double check and if it wasn't then it is a flaw and should be fixed rather than relying on a second (possibly also non-deterministic) check.

[allcrypt]

No, because none of your arguments make any sense for how an exchange works. You're telling them, and I, that we have no idea how to run an exchange, when you've obviously no idea how they work. You're using hyperbole and silly arguments to try and prove me wrong, and at this point, it's clear that you know you're right even though you obviously don't fully understand how these systems work, and not a damn thing I say will convince you otherwise.

A debate or discussion with someone who is not interested in anything but proving they are right is one not worth having. So, I'm out. Gotta go remove all those silly and unnecessary checkpoints from the code.

[Biomech]

That being said - they were the first exchange to have an issue and immediately be not only transparent about it, but also to give the details

This is good, HOWEVER he also received strong warnings from several respected members, pointing out how he was clearly clueless about what he was doing, and he completely ignored them.
Even if he's not actively scamming you, he'll most likely be brought down by "the next big break". It's only a matter of time.

That's hearsay unless you can provide links to comments. Anyone can claim "he was warned!" Just to make him look bad. But that's disingenuous without links to back that up. He cannot disprove a negative. It's on you to show that it happened.

I'm a customer, after the hack, and while I think the interface is ugly, I've had no problems. After the hack, he was warned in this thread about some of his practices and (lack of) knowledge. While I do not think he publicly stated one way or the other if he was hiring programmers, I doubt that he ignored the people who spoke with him on the issue. I don't see it as a huge issue, as long as he HAS implemented better security. That being said, I never leave much in an exchange unless I'm actively trading. It just seems unwise.

[nutildah]

I didn't read the 35 middle pages of this thread but have you guys done much exploration of what kinds of transactions the thief address leads to??? He gave a lot of this money to an account that has over $150 million worth of transactions in it!!

Address    1N2f642sbgCMbNtXFajz9XDACDFnFzdXzV

Are they some sort of underground criminal enterprise or something? Dr. Evil would be quite jealous... I hope the feds find this information and bust their stupid asses. Yes, if you make the world a stupider place for a living, you are stupid. It doesn't matter how much money it nets you, you're an idiot.

In case you're wondering if I'm a noob:

<------------ its right under my name.

[counter]

Well with the large amount of coins going missing these days it wouldn't surprise me if there was an elite group of scammers pulling off these heists.

[barryzand]

POLONIEX is attacked NOW !!!!!!!!!!!!!!!!!!!!


BTC BASTARDS I WILL KILL YOU

yeah, where the hell is the website ?


EDIT:

Poloniex Exchange ‏@Poloniex  1 hour
Site is down. Working on it.

[koshgel]

Is there an ETA for how long it will be down?

[altcoinherald]

Is there an ETA for how long it will be down?

According to chat room gossip the ETA is unknown. 

[DubFX]

Is there an ETA for how long it will be down?

Hopefully soon...was it ddos or what?

[koshgel]

Is there an ETA for how long it will be down?

Hopefully soon...was it ddos or what?

No idea. Seems it's for maintenance but its been awhile

[madmartyk]

Crap, sent come altcoins there before I knew it was down.  Hope they make it and are safe!!

[digit]

no exchange should go offline like this using maintenance as a reason :\

[nutildah]

https://bitcointalk.org/index.php?topic=420836.msg6515293#msg6515293

[TotalPanda]

POLONIEX is attacked NOW !!!!!!!!!!!!!!!!!!!!


BTC BASTARDS I WILL KILL YOU

yeah, where the hell is the website ?


EDIT:

Poloniex Exchange ‏@Poloniex  1 hour
Site is down. Working on it.

I WAS DRUNK 

[wealthy$]

i really hope they come up soon, i have a lot of coins with them.

[DolanDuck]

i really hope they come up soon, i have a lot of coins with them.

Have you really tried to enter the website?
I can access it without any issue since this morning.

[daibasen]

What's the status with the stolen BTC from Poloniex?
Has everyone been fully reimbursed yet?

[KimNam]

What's the status with the stolen BTC from Poloniex?
Has everyone been fully reimbursed yet?

I thought they paid all of their debt to customer
that's why we don't see debt coin statistic in our poloniex balance
just to make sure, ask here : https://bitcointalk.org/index.php?topic=420836.0